update

docs/Dockerfile

@@ -28,9 +28,9 @@ RUN apt-get update \
     && apt-get install -y nginx openssl 
 
 RUN rm -rf /usr/share/nginx/html/*
-COPY --from=builder /usr/src/app/docker/nginx.conf /etc/nginx/nginx.conf
-COPY --from=builder /usr/src/app/docker/nginxconfig/general.conf /etc/nginx/general.conf
-COPY --from=builder /usr/src/app/docker/nginxconfig/security.conf /etc/nginx/security.conf
+COPY --from=builder /usr/src/app/docs/conf/nginx.conf /etc/nginx/nginx.conf
+COPY --from=builder /usr/src/app/docs/conf/general.conf /etc/nginx/general.conf
+COPY --from=builder /usr/src/app/docs/conf/security.conf /etc/nginx/security.conf
 COPY --from=builder /usr/src/app/.vuepress/dist /usr/share/nginx/html
 # COPY --from=builder /usr/src/app/.env /usr/share/nginx/html/.env
 

docs/conf/general.conf

@@ -0,0 +1,100 @@
+# favicon.ico
+location = /public/favicon.ico {
+	log_not_found off;
+	access_log off;
+	error_log off;
+}
+
+# Disable directory listing
+location / {
+	autoindex  off;
+	try_files $uri $uri/ /index.html;
+}
+
+# assets, media, and Static File Caching while allowing safe files
+location ~* \.(?:css(\.map)?|js(\.map)?|ttf|ttc|otf|eot|woff2?|svgz?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv|pdf|docx?|dotx?|docm|dotm|xlsx?|xltx?|xlsm|xltm|pptx?|potx?|pptm|potm|ppsx?)$ {
+	add_header Access-Control-Allow-Origin "*";
+	add_header Cache-Control "public";
+	expires 365d;
+	# Nginx logs every request that hits the server to a log file. If you use analytics to monitor this, you may want to turn this functionality off. Simply edit the access_log directive:
+	access_log on;
+}
+
+# deny access to .htaccess files
+location ~ /\.ht {
+	deny  all;
+	error_log off;
+	log_not_found off;
+}
+
+# Deny access to hidden files (beginning with a period)
+location ~ /\. {
+	deny all;
+	error_log off;
+	log_not_found off;
+}
+
+
+location /video/ {
+	# To utilize operating system resources, set the value of this directive to on. sendfile transfers data between file descriptors within the OS kernel space without sending it to the application buffers. This directive will be used to serve small files.
+	sendfile       on;
+	# This directive enables multi-threading when set to on for write and read operation. Multi-threading is an execution model that allows multiple threads to execute separately from each other whilst sharing their hosting process resources.
+	aio            threads;
+	# This directive improves cache effectiveness by allowing read and write to be sent directly to the application.  directio is a filesystem feature of every modern operating system. This directive will be used to serve larger files like videos.
+	directio       8m;
+	# This directive assigns a block size value to the data transfer. It related to the directio  directive.
+	directio_alignment 1024;
+}
+
+# define error pages
+error_page 401 403 404  /index.html;
+location = /index.html {
+	root /opt/dist;
+	internal;
+}
+
+# redirect server error pages
+error_page   500 502 503 504  /index.html;
+location = / {
+	root   /opt/dist;
+	internal;
+}
+
+## Only GET, POST, PUT are allowed##
+if ($request_method !~ ^(GET|PUT|POST)$ ) {
+	return 444;
+}
+## In this case, it does not accept other HTTP method such as HEAD, DELETE, SEARCH, TRACE ##
+
+##  Only allow access to these domains/sub-domains samwanekeya.com and localhost
+# if ($host !~ ^(localhost|127.0.0.1|192.168.0.52|192.168.0.163)$ ) {
+# 	return 444;
+# }
+
+#Gzip can help reduce the amount of network transfer Nginx deals with. However, be careful increasing the gzip_comp_level too high as the server will begin wasting cpu cycles.
+#For those using Cloudflare as their CDN this is already taken care of - https://support.cloudflare.com/hc/en-us/articles/200168086-Does-Cloudflare-compress-resources-
+
+#If you want to enable compression, set the value of this directive to on. By default, it is disabled.
+gzip             on;
+# You can make use of this directive to set the compression level. In order not to waste CPU resources, you need not set the compression level too high. Between 1 and 9, you can set the compression level to 2 or 3.
+gzip_comp_level  2;
+# Set the minimum response length for compression via the content-length response header field. You can set it to more than 20 bytes.
+gzip_min_length  1000;
+gzip_proxied     expired no-cache no-store private auth;
+# This directive allows you to choose the response type you want to compress. By default, the response type text/html is always compressed. You can add other response type such as text/plain application/x-javascript text/xml as shown in the code above.
+# gzip_types       text/plain application/x-javascript text/xml text/css application/xml;
+# This directive allows you to choose the minimum HTTP version of a request for a compressed response. You can make use of the default value which is 1.1.
+#gzip_http_version 1.1;
+# When gzip directive is enabled, this directive add the header field Vary:Accept Encoding  to the response.
+#gzip_vary  on;
+# Some browsers such as Internet Explorer 6 do not have support for gzip compression. This directive make use of User-Agent request header field to disable compression for certain browsers.
+#gzip_disable "MSIE [4-6] \.";
+
+# This directive is disabled by default. Enable it if you want implement caching in Nginx. This directive stores metadata of files and directories commonly requested by users.
+open_file_cache max=1000 inactive=30s;
+# This directive contains backup information inside the open_file_cache directive. You can use this directive to set a valid period usually in seconds after which the information related to files and directories is re-validated again.
+open_file_cache_valid 30s;
+# Nginx usually clear information inside the open_file_cache directive after a period of inactivity based on the open_file_cache_min_uses. You can use this directive to set a minimum number of access to identify which files and directories are actively accessed.
+open_file_cache_min_uses 4;
+# You can make use of this directive to allow Nginx to cache errors  such as “permission denied” or “can’t access this file” when files are accessed. So anytime a resource is accessed by a user who does not have the right to do so, Nginx displays the same error report “permission denied”.
+open_file_cache_errors on;

docs/conf/nginx.conf

@@ -0,0 +1,44 @@
+# user  nginx;
+worker_processes auto;
+
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
+
+events {
+    # The maximum number of connections that each worker process can handle simultaneously. The default is 512, but most systems have enough resources to support a larger number. The appropriate setting depends on the size of the server and the nature of the traffic, and can be discovered through testing.
+    worker_connections 65535;
+    # This directive allows a worker to accept many connections in the queue at a time. A queue in this context simply means a sequence of data objects waiting to be processed.
+    multi_accept on;
+    # With this directive worker processes will accept new connections by turn. Otherwise, all worker processes will be notified about new connections, and if volume of new connections is low, some of the worker processes may just waste system resources.
+    accept_mutex on;
+    # This directive determines how long a worker should wait before accepting a new connection. Once the accept_mutex is turned on, a mutex lock is assigned to a worker for a timeframe specified by the accept_mutex_delay . When the timeframe is up, the next worker in line is ready to accept new connections.
+    accept_mutex_delay 200ms;
+    # This directive specifies the method to process a connection from the client. We decided to set the value to epoll because we are working on a Ubuntu platform. The epoll method is the most effective processing method for Linux platforms.
+    use epoll;
+    # This specifies the number of events that NGINX will pass to the kernel.
+    epoll_events 1024;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+    '$status $body_bytes_sent "$http_referer" '
+    '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log /var/log/nginx/access.log main;
+
+    sendfile on;
+    #tcp_nopush     on;
+
+    keepalive_timeout 65;
+
+    #gzip  on;
+    server_names_hash_bucket_size 64;
+    server_names_hash_max_size 512;
+
+    include /etc/nginx/general.conf;
+    include /etc/nginx/security.conf;
+
+}

docs/conf/security.conf

@@ -0,0 +1,32 @@
+# config to don't allow the browser to render the page inside an frame or iframe
+# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
+# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
+# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
+add_header X-Frame-Options "SAMEORIGIN";
+#Handled by CDN admin
+# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
+# to disable content-type sniffing on some browsers.
+# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
+# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
+# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
+add_header X-Content-Type-Options "nosniff";
+# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
+# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
+# this particular website if it was disabled by the user.
+# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+add_header X-XSS-Protection "1; mode=block";
+
+add_header Referrer-Policy "no-referrer-when-downgrade";
+# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
+# you can tell the browser that it can only download content from the domains you explicitly allow
+# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
+# https://www.owasp.org/index.php/Content_Security_Policy
+# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
+# directives for css and js(if you have inline css or js, you will need to keep it too).
+# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
+# add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'";
+#For Clouflare users comment this out as it's handle from the admin UI
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+# Prevent search engine indexing
+add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";